Relevant Cybercrime Examples

The rapid proliferation of advanced extortion strategies has been largely driven by the ransomware-as-a-service (RaaS)model. This framework allows cybercriminals to purchase or lease preconfigured ransomware packages, complete with documentation and technical support, enabling even those with minimal coding ability to carry out attacks. As a result, double and triple extortion have not only become more frequent but also far more destructive on a global scale due to their expanded scope and reach. In essence, RaaS has commercialized cyber extortion—transforming ransomware deployment into an accessible subscription-based industry. The following section explores several major ransomware organizations, their operational structures, and a few of the most consequential attacks they have executed.

Two of the most notorious and influential ransomware groups active today are Conti and REvil, both of which operate primarily under the RaaS model. These are not small, loosely organized hackers but sophisticated criminal enterprises that mirror legitimate corporations. They employ software engineers, negotiators, financial managers, and even public relations specialists to manage communications and negotiations.

Conti, a Russian-speaking syndicate, gained global attention following its 2022 cyberattack on the Costa Rican government. In April of that year, Conti infiltrated 27 government agencies—including the Ministry of Finance, the customs office, and the national tax authority. The group demanded a ransom of $20 million USD in exchange for withholding the release of the nation’s sensitive financial and business data. When the government refused to pay, essential operations ground to a halt: tax and customs platforms went offline, medical records became inaccessible, public employees missed paychecks, and the country suffered an estimated $125 million in losses within 48 hours. On May 8, 2022, Costa Rica’s president declared a national emergency, labeling the incident a “state of war” (Cyber Law Toolkit). Leaked internal records later that year revealed that Conti maintained a hierarchical system with multiple levels of management, formal employee reviews, and even incentive-based bonus payments—evidence of its corporate-like operation.

REvil, also referred to as Sodinokibi, is another ransomware group believed to be based in Russia or Eastern Europe. Its most infamous operation targeted Kaseya, a U.S.-based software company, in 2021. By compromising Kaseya’s update mechanism, the attackers indirectly infected hundreds of businesses reliant on its systems. Initially, REvil demanded $70 million for a universal decryption key that would restore all affected files. However, after a cybersecurity researcher from the Krebs Stamos Group contacted the group for negotiation, the ransom was reduced to $50 million (Harding et al.). Ultimately, on July 21, 2021, Kaseya received a fully functional decryptor “from a trusted third party,” which successfully unlocked all encrypted files and was distributed freely to affected customers (Alder, Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack).

Two additional ransomware incidents—the Colonial Pipeline breach and the WannaCry outbreak—remain among the most impactful in cybercrime history.

The Colonial Pipeline attack of 2021 was orchestrated by DarkSide, another Russian-speaking RaaS collective. Distinct from other groups, DarkSide claimed it avoided targeting hospitals, educational institutions, and nonprofit organizations. Colonial Pipeline operates the largest fuel transportation network in the United States, moving approximately 2.5 million barrels of fuel per day through 5,500 miles (8,850 km) of pipelines connecting Gulf Coast refineries to markets across the East and South. It also supplies major airports, including Hartsfield-Jackson Atlanta International Airport, one of the world’s busiest by passenger volume. Following the shutdown, fuel markets reacted sharply—gasoline futures rose 0.6% and diesel prices climbed 1.1%, both outpacing crude oil (Bing and Kelly). The incident illustrated how ransomware attacks can ripple through national infrastructure, disrupting essential services and affecting millions of citizens in real time. Colonial Pipeline ultimately paid 75 Bitcoin (approximately $4.4 million USD) to the attackers (Chainalysis Team, How FBI Investigators Traced DarkSide’s Funds).

The WannaCry ransomware attack, launched in May 2017, represented a turning point in cyberwarfare. This self-propagating malware targeted computers running outdated versions of Microsoft Windows, encrypting their files and demanding payment in Bitcoin to unlock them. What made WannaCry exceptionally dangerous was its autonomous spreading capability—it exploited a Windows vulnerability known as EternalBlue, a cyberweapon originally developed by the U.S. National Security Agency (NSA) and leaked online by a group calling itself The Shadow Brokers(Newman). EternalBlue allowed WannaCry to move from one system to another without human involvement, triggering a worldwide epidemic that infected over 300,000 devices across more than 150 countries (Houlding). The outbreak exposed the catastrophic potential of weaponized software leaks and underscored the importance of timely system patching.